Process Environment Information Leak |
Weakness ID: 214 (Weakness Variant) | Status: Incomplete |
Description Summary
Extended Description
Many operating systems allow a user to list information about processes that are owned by other users. This information could include command line arguments or environment variable settings. When this data contains sensitive information such as credentials, it might allow other users to launch an attack against the software or related resources.
Example 1
In the Java example below, the password for a keystore file is read from a system property. If the property is defined on the command line when the program is invoked (using the -D... syntax), the password may be displayed in the OS process list.
Reference | Description |
---|---|
CVE-2005-1387 | password passed on command line |
CVE-2005-2291 | password passed on command line |
CVE-2001-1565 | username/password on command line allows local users to view via "ps" or other process listing programs |
CVE-2004-1948 | Username/password on command line allows local users to view via "ps" or other process listing programs. |
CVE-1999-1270 | PGP passphrase provided as command line argument. |
CVE-2004-1058 | Kernel race condition allows reading of environment variables of a process that is still spawning. |
Compartmentalize your system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Class | 200 | Information Exposure | Development Concepts (primary)699 Research Concepts (primary)1000 |
ChildOf | Category | 634 | Weaknesses that Affect System Processes | Resource-specific Weaknesses (primary)631 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
PLOVER | Process information infoleak to other processes |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Sean Eidemiller | Cigital | External | |
added/updated demonstrative examples | ||||
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, Taxonomy Mappings | ||||
2008-10-14 | CWE Content Team | MITRE | Internal | |
updated Description, Other Notes | ||||
2009-10-29 | CWE Content Team | MITRE | Internal | |
updated Other Notes | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-04-11 | Process Information Leak to Other Processes | |||